1. Key Details
- Entity Name: Pine Labs Limited
- Entity Type: Prepaid Payment Instrument (PPI) Issuer
- Penalty Amount: ₹3.10 Lakh (Rupees Three Lakh Ten Thousand)
- Date of Order: March 23, 2026
- Statute Invoked: Section 30(1) read with section 26(6) of Payment and Settlement Systems Act, 2007
- Primary Violation: Issuing Full-KYC PPIs without completing Know Your Customer (KYC) of the holders.
2. Root Cause Analysis (RCA)
Based on the regulatory finding that Full-KYC PPIs were issued without actual KYC completion, the likely root causes fall into the following operational and systemic domains:
- System Logic Bypass: A technical loophole or defect in the customer onboarding flow that allowed the system state to update to “Full-KYC” before the mandatory Document Verification/Video-KYC (V-CIP) modules successfully returned a positive match.
- API Integration Failures: Possible timeouts or unhandled exceptions with third-party KYC validation APIs (like UIDAI or CKYCR) where a “null” or “timeout” response was erroneously treated as a successful validation.
- Manual Intervention / Maker-Checker Failure: In cases involving manual verification, an absence of strict “Four-Eyes” (maker-checker) principles, allowing operational staff to approve KYC status without uploading/verifying mandatory documents.
3. Preventive Controls (Remediation)
To prevent recurrence and ensure strict adherence to RBI’s Master Direction on PPIs, the following controls must be implemented:
Hard Stops in Onboarding Journey: Implement systemic hard stops. The core payment engine must automatically block the issuance or upgrade of a PPI to “Full-KYC” unless a verified cryptographic token or final approval flag is received directly from the central KYC module.
Automated Exception Alerts: Deploy real-time monitoring scripts that cross-reference the active Full-KYC database with the central document repository. Any Full-KYC account missing corresponding valid KYC documents should trigger an immediate critical alert to the compliance team.
Periodic Concurrent Audits: Institute a monthly concurrent audit specifically targeting newly onboarded Full-KYC customers. A sample of accounts must be audited independently to verify the completeness of the KYC file prior to regulatory inspections.
4. Lessons Learnt
- Zero Tolerance on KYC: The RBI maintains a zero-tolerance approach towards Anti-Money Laundering (AML) and KYC lapses, regardless of whether the transaction volumes are large or small.
- Technology Risk is Compliance Risk: Flaws in IT logic or API handlers translate directly into regulatory breaches. IT and Compliance teams must work in tandem during the User Acceptance Testing (UAT) phase of any onboarding flow updates.
- Supervisory Vigilance: The penalty stems directly from an RBI statutory inspection (covering July 2024 to May 2025). Institutions must maintain a posture of “perpetual readiness” for regulatory scrutiny rather than relying on pre-inspection cleanups.